beautypg.com

Filtering on tcp flags 15.6 – Westermo MR Series User Manual

Page 400

background image

400

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Filtering on TCP Flags

15.6

An ip-objectcan be followed by an optional [flags]field. This field allows the script to filter based on
any combination of TCP flags. The [flags] field is used to specify the flags to check and consists of
the flags keyword followed by a string specifying the flags themselves. Each letter in this string rep-
resents a particular flag type as listed below:

Code

Flag

f

FIN Flag

r

RESET Flag

s

SYN Flag

p

PUSH Flag

u

URG Flag

a

ACK Flag

These flag codes allow the filter to check any combination of flags.

Following on from the previous example, to block packets that have all the flags set you would need
to precede the pass rule with the following block rule:

block break end from any to 10.1.2.0/24 port=telnet flags frspua

Here, the list of flags causes the unit to check that those flags are set. This list may be optionally fol-
lowed by an exclamation mark (“!”) and a second list of flags that the unit should check for being
clear. For example:

flags s !a

would test for the s flag being on and the a flag being off with all other flags ignored.

As a further example, let us say we want to allow outward connections from a machine on
10.1.2.33 to a Telnet server. We have to define a filter rule to pass outbound connections and the
inbound response packets. Because this is an outbound Telnet service we can make use of the fact
that all incoming packets will have their ACK bits set. Only the first packet establishing the connec-
tion will have the ACK bit off. The filter rules to do this would look like this:

pass out break end from 10.1.2.33 port>1023 to any port=telnet

pass in break end from any port=telnet to 10.1.2.33 port>1023 flags !a

The first rule allows the outward connections, and the second rule above allows the response pack-
ets back in which the ACK flag must always be on. This second rule will filter out any packets that
do not have the ACK flag on. This will bar any attackers from trying to open connections onto the
private net work by simply specifying the source port as the Telnet port (note that there is a simpler
way to achieve the same effect using the inspect state option described below).

This manual is related to the following products:
See also other documents in the category Westermo Equipment: